111

2025-10-09 01:22:22 +00:00
parent 1c994f9f60
commit eab95c8c80
136 changed files with 11001 additions and 849 deletions
--- a/components/vault/jobs/vault-cluster-exec.nomad
+++ b/components/vault/jobs/vault-cluster-exec.nomad
@@ -1,283 +0,0 @@
-job "vault-cluster-exec" {
-  datacenters = ["dc1"]
-  type = "service"
-
-  group "vault-master" {
-    count = 1
-    
-    # 使用存在的属性替代consul版本检查
-    constraint {
-      attribute = "${driver.exec}"
-      operator = "="
-      value = "1"
-    }
-
-    constraint {
-      attribute = "${node.unique.name}"
-      value = "kr-master"
-    }
-
-    network {
-      port "api" {
-        static = 8200
-      }
-      port "cluster" {
-        static = 8201
-      }
-    }
-
-    task "vault" {
-      driver = "exec"
-
-      config {
-        command = "vault"
-        args = [
-          "server",
-          "-config=/opt/nomad/data/vault/config/vault.hcl"
-        ]
-      }
-
-      template {
-        data = <<EOH
-storage "consul" {
-  address = "{{ with nomadService "consul" }}{{ range . }}{{ if contains .Tags "http" }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}{{ end }}"
-  path    = "vault/"
-  # Consul服务发现配置
-  service {
-    name = "vault"
-    tags  = ["vault"]
-  }
-}
-
-listener "tcp" {
-  address     = "0.0.0.0:8200"
-  tls_disable = 1  # 生产环境应启用TLS
-}
-
-api_addr = "http://{{ env "NOMAD_IP_api" }}:8200"
-cluster_addr = "http://{{ env "NOMAD_IP_cluster" }}:8201"
-
-ui = true
-disable_mlock = true
-
-# 添加更多配置来解决权限问题
-disable_sealwrap = true
-disable_cache = false
-
-# 启用原始日志记录
-enable_raw_log = true
-
-# 集成Nomad服务发现
-service_registration {
-  enabled = true
-}
-EOH
-        destination = "/opt/nomad/data/vault/config/vault.hcl"
-      }
-
-      resources {
-        cpu    = 100
-        memory = 256
-      }
-
-      service {
-        name = "vault"
-        port = "api"
-        
-        check {
-          name     = "vault-health"
-          type     = "http"
-          path     = "/v1/sys/health"
-          interval = "10s"
-          timeout  = "2s"
-        }
-      }
-    }
-  }
-
-  group "vault-ash3c" {
-    count = 1
-
-    # 移除对consul版本的约束，使用driver约束替代
-    constraint {
-      attribute = "${driver.exec}"
-      operator = "="
-      value = "1"
-    }
-
-    constraint {
-      attribute = "${node.unique.name}"
-      value = "us-ash3c"
-    }
-
-    network {
-      port "api" {
-        static = 8200
-      }
-      port "cluster" {
-        static = 8201
-      }
-    }
-
-    task "vault" {
-      driver = "exec"
-
-      config {
-        command = "vault"
-        args = [
-          "server",
-          "-config=/opt/nomad/data/vault/config/vault.hcl"
-        ]
-      }
-
-      template {
-        data = <<EOH
-storage "consul" {
-  address = "{{ with nomadService "consul" }}{{ range . }}{{ if contains .Tags "http" }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}{{ end }}"
-  path    = "vault/"
-  # Consul服务发现配置
-  service {
-    name = "vault"
-    tags  = ["vault"]
-  }
-}
-
-listener "tcp" {
-  address     = "0.0.0.0:8200"
-  tls_disable = 1  # 生产环境应启用TLS
-}
-
-api_addr = "http://{{ env "NOMAD_IP_api" }}:8200"
-cluster_addr = "http://{{ env "NOMAD_IP_cluster" }}:8201"
-
-ui = true
-disable_mlock = true
-
-# 添加更多配置来解决权限问题
-disable_sealwrap = true
-disable_cache = false
-
-# 启用原始日志记录
-enable_raw_log = true
-
-# 集成Nomad服务发现
-service_registration {
-  enabled = true
-}
-EOH
-        destination = "/opt/nomad/data/vault/config/vault.hcl"
-      }
-
-      resources {
-        cpu    = 100
-        memory = 256
-      }
-
-      service {
-        name = "vault"
-        port = "api"
-        
-        check {
-          name     = "vault-health"
-          type     = "http"
-          path     = "/v1/sys/health"
-          interval = "10s"
-          timeout  = "2s"
-        }
-      }
-    }
-  }
-
-  group "vault-warden" {
-    count = 1
-
-    # 移除对consul版本的约束，使用driver约束替代
-    constraint {
-      attribute = "${driver.exec}"
-      operator = "="
-      value = "1"
-    }
-
-    constraint {
-      attribute = "${node.unique.name}"
-      value = "bj-warden"
-    }
-
-    network {
-      port "api" {
-        static = 8200
-      }
-      port "cluster" {
-        static = 8201
-      }
-    }
-
-    task "vault" {
-      driver = "exec"
-
-      config {
-        command = "vault"
-        args = [
-          "server",
-          "-config=/opt/nomad/data/vault/config/vault.hcl"
-        ]
-      }
-
-      template {
-        data = <<EOH
-storage "consul" {
-  address = "{{ with nomadService "consul" }}{{ range . }}{{ if contains .Tags "http" }}{{ .Address }}:{{ .Port }}{{ end }}{{ end }}{{ end }}"
-  path    = "vault/"
-  # Consul服务发现配置
-  service {
-    name = "vault"
-    tags  = ["vault"]
-  }
-}
-
-listener "tcp" {
-  address     = "0.0.0.0:8200"
-  tls_disable = 1  # 生产环境应启用TLS
-}
-
-api_addr = "http://{{ env "NOMAD_IP_api" }}:8200"
-cluster_addr = "http://{{ env "NOMAD_IP_cluster" }}:8201"
-
-ui = true
-disable_mlock = true
-
-# 添加更多配置来解决权限问题
-disable_sealwrap = true
-disable_cache = false
-
-# 启用原始日志记录
-enable_raw_log = true
-
-# 集成Nomad服务发现
-service_registration {
-  enabled = true
-}
-EOH
-        destination = "/opt/nomad/data/vault/config/vault.hcl"
-      }
-
-      resources {
-        cpu    = 100
-        memory = 256
-      }
-
-      service {
-        name = "vault"
-        port = "api"
-        
-        check {
-          name     = "vault-health"
-          type     = "http"
-          path     = "/v1/sys/health"
-          interval = "10s"
-          timeout  = "2s"
-        }
-      }
-    }
-  }
-}
--- a/components/vault/jobs/vault-cluster-podman.nomad
+++ b/components/vault/jobs/vault-cluster-podman.nomad
@@ -1,94 +0,0 @@
-job "vault-cluster" {
-  datacenters = ["dc1"]
-  type = "service"
-
-  group "vault-servers" {
-    count = 3
-
-    constraint {
-      attribute = "${node.unique.name}"
-      operator  = "regexp"
-      value     = "(warden|ash3c|master)"
-    }
-
-    task "vault" {
-      driver = "podman"
-
-      config {
-        image = "hashicorp/vault:latest"
-        ports = ["api", "cluster"]
-        
-        # 确保容器在退出时不会自动重启
-        command = "vault"
-        args = [
-          "server",
-          "-config=/vault/config/vault.hcl"
-        ]
-        
-        # 容器网络设置
-        network_mode = "host"
-        
-        # 安全设置
-        cap_add = ["IPC_LOCK"]
-      }
-
-      template {
-        data = <<EOH
-storage "consul" {
-  address = "localhost:8500"
-  path    = "vault/"
-  token   = "{{ with secret "consul/creds/vault" }}{{ .Data.token }}{{ end }}"
-}
-
-listener "tcp" {
-  address     = "0.0.0.0:8200"
-  tls_disable = 1  # 生产环境应启用TLS
-}
-
-api_addr = "http://{{ env "NOMAD_IP_api" }}:8200"
-cluster_addr = "http://{{ env "NOMAD_IP_cluster" }}:8201"
-
-ui = true
-disable_mlock = true
-EOH
-        destination = "vault/config/vault.hcl"
-      }
-
-      volume_mount {
-        volume      = "vault-data"
-        destination = "/vault/data"
-        read_only   = false
-      }
-
-      resources {
-        cpu    = 500
-        memory = 1024
-        
-        network {
-          mbits = 10
-          port "api" { static = 8200 }
-          port "cluster" { static = 8201 }
-        }
-      }
-
-      service {
-        name = "vault"
-        port = "api"
-        
-        check {
-          name     = "vault-health"
-          type     = "http"
-          path     = "/v1/sys/health"
-          interval = "10s"
-          timeout  = "2s"
-        }
-      }
-    }
-
-    volume "vault-data" {
-      type      = "host"
-      read_only = false
-      source    = "vault-data"
-    }
-  }
-}
--- a/components/vault/jobs/vault-dev-warden.nomad
+++ b/components/vault/jobs/vault-dev-warden.nomad
@@ -1,65 +0,0 @@
-job "vault-dev-warden" {
-  datacenters = ["dc1"]
-  type = "service"
-
-  group "vault-dev" {
-    count = 1
-
-    # 约束到有consul的节点
-    constraint {
-      attribute = "${meta.consul}"
-      operator  = "="
-      value     = "true"
-    }
-
-    network {
-      port "http" {
-        to = 8200
-      }
-      port "cluster" {
-        to = 8201
-      }
-    }
-
-    service {
-      name = "vault-dev"
-      port = "http"
-    
-      check {
-        type     = "http"
-        path     = "/v1/sys/health"
-        interval = "10s"
-        timeout  = "5s"
-      }
-    }
-
-    task "vault-dev" {
-      driver = "raw_exec"
-
-      config {
-        command = "vault"
-        args = [
-          "server",
-          "-dev",
-          "-dev-listen-address=0.0.0.0:8200",
-          "-dev-root-token-id=root"
-        ]
-      }
-
-      env {
-        VAULT_ADDR = "http://127.0.0.1:8200"
-        VAULT_TOKEN = "root"
-      }
-
-      resources {
-        cpu    = 500
-        memory = 512
-      }
-
-      logs {
-        max_files     = 10
-        max_file_size = 10
-      }
-    }
-  }
-}